Security Firm Discloses Flaw in .NET Compiler

A feature added to a compiler in Visual Studio .NET to improve the security of Visual C++ .NET itself introduces the type of vulnerability -- a buffer overflow -- that it was designed to protect against, a Dulles, Va.-based security consultancy revealed Thursday.

The disclosure comes at a damaging time for Microsoft Corp. The company on Wednesday released Visual Studio .NET, a linchpin of its Web services strategy. Microsoft officials also told an industry publication that the Visual Studio .NET integrated development environment was the first product to undergo the formal code review for security problems mandated by Bill Gates' Trustworthy Computing initiative.

Cigital Inc. issued the warning about the problem on its Web site Thursday.
According to the company, the design-level flaw occurs in Microsoft's Visual C++ .NET and Visual C++ version 7 compiler.

Cigital maintains that the defect leaves executable code built by the compiler vulnerable to a buffer overflow attack. Cigital reports that the feature was bolted on to the Visual C++ compiler to protect source code from certain forms of buffer overflow attack. But the mechanism added to the runtime Visual C++ compiler is susceptible to a buffer overflow attack.

Cigital says it found the flaw during pre-release testing of its own unreleased security assessment product.

"The fact that even security features such as Microsoft's broken buffer overflow protection mechanism fall prey to security problems demonstrates the challenge we face," Cigital CTO Gary McGraw said in a statement. "Cigital Labs' discovery shows why relying on a runtime compiler feature to protect against certain types of attacks is not sufficient."

A Microsoft spokesman, who characterized the problem as narrow, publicly expressed anger that Cigital had released the warning immediately without providing a customary 30-day grace period to allow Microsoft to address the problem. The spokesman suggested Cigital may have had a grudge against Microsoft because the security firm lost a bid for the contract to perform an independent security review of Visual Studio .NET prior to its release.

Cigital executives argued that a grace period was unnecessary since Visual Studio .NET was just released, and that an early warning would prevent developers from creating insecure code before a fix was available.

In addition to the timing of its information release, Cigital had hard words for Microsoft.

"There is much more to software security than simply demonstrating the right attitude," Cigital president and CEO Jeffery Payne said in a statement.

Meanwhile, a technical paper describing the problem on the Cigital Web site begins: "Microsoft is making an important push to improve software security, as evidenced by the Gates memo of January 2002. However, Microsoft clearly has room for improvement if ... even their security features have architectural security problems."

The paper goes on to suggest that Microsoft failed to thoroughly review available documentation about the StackGuard tool it based the feature on, that Microsoft would have served customers better by rewriting the compiler itself, and that the best solution for developers is to write code in Java.